On February 19, 2020 the European Data Protection Board ("EDPB") published its second statement on privacy in the context of corporate transactions.
The statement, the full text of which can be read here, highlights the existence of concerns related to the combination and accumulation of sensitive personal data and the possibility that such combinations could result in a high level of risk to the fundamental rights to privacy and the protection of personal data.
The EDPB's statement does not propose any particular steps to mitigate such concerns, but explains that:
the privacy implications of a merger must be taken into account by the parties to the transaction; in compliance with the principle of accountability under the EU General Data Protection Regulation 2016/679 (the "GDPR"), the parties must conduct in a transparent way a full assessment of the data protection requirements and privacy implications of the merger; and the parties should mitigate the possible risks of the merger to the rights to privacy and data protection, before notifying the merger to the European Commission. The EDPB also made reference to their previous statement, accessible here, on the importance of assessing longer-term implications for the protection of economic, data protection and consumer rights whenever a significant merger is proposed.
In light of the increased scrutiny on the part of regulators, it has become crucial to consider personal data protection throughout the transaction process. We explore the relevant data sharing and due diligence considerations below.
Substantive Privacy Due Diligence
State-of-the-art data privacy diligence has become indispensable for purchasers seeking to avoid onboarding GDPR liability through their acquisitions. Purchasers may be exposed to significant financial and reputational risks from privacy and cybersecurity issues inherited through an acquisition. Marriott's 2016 acquisition of Starwood Hotels gave rise to this very issue. Marriott is currently facing lawsuits in the United States, as well a potential £99 million fine from UK regulators, in connection with the massive personal data breach that affected the Starwood customer database (see our previous blog post here). The UK Information Commissioner's Office stated that Marriott "failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems".
Due to the complex, fast-evolving regulatory environment...